Rethinking Lateral Movement: Don’t Fixate on RDP!

For many newcomers in pentesting, successfully obtaining valid credentials often leads to one question: “Can I use RDP to move laterally?” While RDP is a great tool, it’s not the only way to remotely connect to a Windows box. Keep reading and I will show you how to validate this and connect via WinRM, from Windows.

The very first step is to validate if the port is open. Even if we have a user who can (or should) connect, we won’t be able to if the port is not open. Fortunately, this is easy to check using Nmap:

nmap -p 5985,5986 <target> --reason -Pn -n

This basic Nmap command will let us know if the port is open or not. The “p” flag is used to specify the ports. The “reason” flag shows us the status and explains why Nmap reached to that conclusion. And I always like to use “Pn” and “n” to avoid false negatives caused by firewalls and name resolution issues.

Once we have validated that, the next logical step is to confirm if our user is part of the required group. To do this, we can open a PowerShell session on the compromised Windows box, upload PowerView, and execute the following command:

Get-NetLocalGroupMember -ComputerName [target server] -GroupName "Remote Management Users"